or placing these configuration on the normal Web.config file and adding the location tag which points to the appropriate directory. For this to work, the authentication mode should be Windows or Forms. But this works only for the file types such as .aspx, .asmx,.ashx and not for the types such as html, pdf, txt, png etc.

By default, Internet Information Services (IIS) passes requests for only certain file types to ASP.NET to service. Files with file-name extensions such as .aspx, asmx, and .ashx are already mapped to the ASP.NET ISAPI extension (Aspnet_isapi.dll).

and the solution is:

To have IIS pass other file-name extensions to ASP.NET, you must register the extensions in IIS.

My Issue: My authentication mode was windows and this solution on MSDN was solved my problem to block the unauthorized users, but I was unable to provide the access for autherized users too.

My Solution: I have created a separate httphandler for the required file types, so that I can check for the proper session for authentication.